Auth0 Home Blog Docs

PKCE Authorization Code two-stage flow returns from first step as login-page html

authorization-code-f

#1

Here is the first of our two stage PKCE flow (via iOS Native App):

https://YOUR_AUTH0_DOMAIN/authorize?
audience=API_AUDIENCE&
scope=SCOPE&
response_type=code&
client_id=YOUR_CLIENT_ID&
code_challenge=CODE_CHALLENGE&
code_challenge_method=S256&
redirect_uri=https://YOUR_APP/callback

Response status is 200 but the Auth0 return is the html for the Auth0 login page. Shouldn’t this already be in a format for the 2nd stage of the PKCE flow? Perhaps this means that the initial Auth0 PKCE entry point is not being parsed correctly? Or is the flow not described fully, are they required to login after the 1st stage and before the 2nd stage?

The expectation was a single line of html to parse for the 2nd stage:
(https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce)


#2

The response to the initial /authorize call may require end-user interaction so what you observed is expected. In your case the end-user would have to login so that the process could continue and the authorization endpoint response could get delivered to the application redirect URL. The second stage would then process that response which if successful would mean that you would have an authorization code that could be exchanged for tokens.

In conclusion, the requests to the authorization endpoint may trigger end-user interaction so you need to consider it in your implementation.


#3